[nycbug-talk] Top Level Domain SSL Certificates

Miles Nordin carton at Ivy.NET
Fri Feb 29 12:18:57 EST 2008


>>>>> "mj" == Matt Juszczak <matt at atopia.net> writes:
>>>>> "dl" == Dan Langille <dan at langille.org> writes:

    mj> in my opinion not the best idea security wise,

I guess.  my counter-opinion would be, once the browsers are accepting
certs of this kind, the security compromise is already made.  but I
guess if you want to compartmentalize compromises within your
organization, more restrictive certs would be nicer.

It would be nice if certs were tied more to DNS, sort of like SPF for
email, so you could limit which authorities were allowed to issue
certs for a given subdomain of yours.  Then the next step is to throw
out the whole mess of shady credit agencies running CA's and tie it
all to DNS.  it's such a broken scam.

    dl> As a user and assurer for CACert <http://www.cacert.org/>
    dl> perhaps using CACert is attractive.

yeah, I'm also a cacert assurer, but i can only give a small number of
points.  The germans were all crazy about it and signed me up.  my
experience with CACert is that they suck, enough that I'm slightly
embarassed to publish one of their certs.  People have unanswered
questions on their mailing list all the time.  And it seems like their
sysadmin infrastructure is kind of asleep at the wheel---it's doing ok
on autopilot, but everyone is afraid to touch it, and they have
problems they acknowledge but don't fix for >1yr.  (so i guess it
should be great for BSD people, since after all their heart's in the
right place.  ARGH.)  And finally I found some documentation on their
site which is confusingly tangled and hopelessly outdated and plain
wrong which basically says that wildcard certs don't work at all in IE
version this-or-that and Firefox version blah, when in fact the docs
are besides being unreadable, flat out wrong.  and never corrected
after I pointed it out.

The other problem I have is that the whole assurers system and the
rules of it are quite silly.  It is more like a scientology
loyalty-building scam than an actual part of the cert-issuing process.
You can get the certificate that 99% of people actually give a shit
about, the web server cert, by simply being able to receive email at a
registered contact of your domain.  You just get it for 6 months
validity only.  Then, after 5 months, go get another one.  They make
this big deal aobut what X.509 or subject data or whatever is in the
cert, but (a) this i sjust sillyness becuase the web browser doesn't
look at it, only looks at the domain name part, and (b) is not solved
by the assurers system anyway and requires faxing documents around,
but ``solved'' is wrong becuase of (a).  The 6-month certs you get by
not dealing with ``assurers'' at all are just as good for web browsers
as anything else you get from them.  so they have set up this whole
infrastructure of human assurers checking ID's which is basically
meaningless---it's only necessary for S/MIME certs and code-signing
certs.  For the former I think most CACert-friendly geeks are for a
variety of reasons more comfortable with the PGP WoT than S/MIME and
government ID's.  For the latter, there are even more silly CACert
rules seemingly designed to prove you are a trustworthy person to
write code for running on an unsuspecting potential victim's machine,
nothing about simply binding the signature to a recognizeable brand
and letting the user decide how much they trust the brand when the
code-execution box pops up.  All around, it's like they don't
understand their role clearly, nor does anyone who ``trusts'' them to
perform it.

which is somewhat par for any CA, but IMHO it is quite a mess with
CACert.

    dl> not even sure if you can get a wild carded cert from CACert.
    dl> But perhaps issues the certs you need, for free, is what you
    dl> want instead of wildcarding.

yes, exactly, you cannot get wildcard cetrts from CACert, but since
you can get as many certs as you want for free, it's better for you to
do that.  I think you would rather---it was the cost that made you
want wildcard in the first place.

but, moving on, I would also like to buy a non-CAcert certificate that
actually works in firefox and IE.  Where should I go?  If you think
this shopping-question makes too much OT traffic, reply to me
privately and I promise to post a summary.

oh, also, i am interested in code-signing for Java but do not really
understand how it works.  so if someone can get me started reading
about that, much appreciated too.  :/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20080229/c9dd381b/attachment.bin>


More information about the talk mailing list